AntiOnline Security Spotlight: Blaster Worm

Despite some headline-grabbing security bulletins, systems are falling victim to this worm. Read up on what AO community members have to say about it, including some interesting tidbits from those that have 'dissected' it.

What sounds like a video game title out of the 8-bit era is actually one of the most insidious worms to squirm its way across the 'net. This worm exploits the DCOM RPC vulnerability present in most Windows versions of consequence. Microsoft preemptively issued a critical warning and fix a while back, but lo and behold, systems are succumbing to this nasty bug.

Windows users, and systems administrators in particular, are being urged to patch the systems under their watch using WindowsUpdate.com. For those mistrustful of the Windows patching portal, details of the vulnerability and a download link to protect your XP system against the blaster worm can be found here.

Amusingly, the worm's code contains the following string that chides billionaire Bill Gates:

billy gates why do you make this possible? Stop making money and fix your software!!

Despite how you feel about Mr. Gates and his software empire, the fact remains that millions of systems run Windows, from the family room computer to servers that host sites and handle business transactions.

About.com's tonybradley kicked things off last week with this alert straight from the horse's mouth at MS:

A new worm / trojan has been discovered that exploits the RPC flaw from MS Security Bulletin MS03-026:

Quote:

This trojan has been found to be widespread among several universities. In these cases, the recent DCOM RPC vulnerability has been exploited to copy a backdoor trojan (detected as BackDoor-TC since the 4255 DAT files), and the patch for the DCOM RPC vulnerability. Exploited systems are patched, the backdoor is installed, and the Stealther trojan conceals both the backdoor and itself.

The stealther trojan is designed to hide running processes, files, and registry keys. When run, any file name matching CSRS*.EXE will be hidden from the user. Booting an infected system in to Safe Mode, or connecting to it via network share are 2 ways to view the stealth files....

Unintended consequences? If Grinler's word of warning comes to pass, the aftermath can be downright catastrophic.

The scary thing is that a script kiddy can setup a firewall, black ice, etc....and just wait for all the requests to come in for port 135. When their firewall records the request, the script kid knows there is a good chance the box is vulnerable to the exploit. Now they have a box that is most likely exploitable and didn't have to portscan or do other activities that may have raised alarms.

Ouch.

Grinler also goes on to explain precisely what makes this worm so dangerous:

This worm, scans other ip addresses for the RPC exploit that came out recently. When it finds a box that it can exploit...it opens a shell on the remote host and then using that shell downloads a file to the hacked computer. It then launches that program and adds it to the registry so it starts again on reboot.

Granted, the story doesn't end there. Already there are reports of even craftier variants. Worry not, some selfless security experts pitch in to provide tons of advice and helpful links to help keep your systems immune.

Read the rest by following this link. Better yet, join the AO community and add your $0.02 (USD, naturally).

What is AntiOnline?

AntiOnline (AO) is home to many of the most popular network security discussion forums online. Here, participants engage in candid, thought-provoking and enlightening exchanges on security hazards and how to protect your systems against them.

We invite you to join the AO community (it's free!), share your wisdom and learn a few things in the process. Stay tuned as Enterprise IT Planet spotlights the eye-opening discussions and expert participants that have helped make AO the "go to" online resource for network security.

Loading Comments...

Advertiser Disclosure: Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.